Transcript SECURITY - IDG Communications

SECURITY:
“Back to the Future”:
Revisiting Trusted
Computer Systems
as a Basic Protection
Requirement
1
"For many, the cyber threat is hard to understand;
no one has died in a cyberattack, after all, there
has never been a smoking ruin for cameras to
see,"
"It is the kind of thinking that said we never had
a major foreign terrorist attack in the United
States, so we never would;
al Qaeda has just been a nuisance,
so it never will be more than that."
Richard A Clarke, 8 April 2003
Reported Testimony before House Government Reform Subcommittee, USA/ 8-4-2003
Richard A Clarke (former Cybersecurity Advisor to Whitehouse)
2
Report: 8 April 2003, Washington Post at http://www.washingtonpost.com
9 April 2003
3
4
5 THEMES:
1. computer security
needs radical
attention after over
20 years of neglect
5
5 THEMES:
2. computer security technology
- understood for over 25
years
BUT associated products
limited
move beyond
“perimeter” security
6
5 THEMES:
3. response in commodity
IT products - almost nonexistent - no market for
“trusted” computer systems
7
5 THEMES:
4. CIOs and IT professionals - take lead!
- warn senior management of risks
and consequences
- say “no” to the use of cheap,
commodity products for mission
critical system under the threat of
legal action to both themselves and
their boards
8
5 THEMES:
5. government must step in to cause the
industry
- to “lift its game” in this area, as in
automobile, pharmaceuticals, food
and like industries,
- unless, via education and training,
the market for security can be lifted
by normal market forces
in a rapid manner
?
9
Today’s
Context.
10
“Sunday” – Channel 9, 6 April 2003.
Menangle Bridge, NSW – CLOSED 27 Mar ’03
WARNED 6 Mar ‘03
NSW Transport Services (Rail)
“…They’re frightened of bringing bad reports to
the Government….
….. They’ve been managed
for good news..”
11
AUSTRALIAN FINANCIAL REVIEW
15 April 2003.
“Judge urges directors to end
‘climate of fear’. “
ASIC Chair, Mr David Knott: ”Business and its advisors need
to demonstrate by their conduct and their actions that the
government and corporate regulators have been justified in
refraining from more radical surgery.”
HIH
Royal
Commission
12
BUSINESS
IMPERATIVES
13
IMPERATIVES
• LEGISLATORS
• DIRECTORS
• MANAGERS
• IT PROFESSIONALS
14
IMPERATIVES
IT PROFESSIONALS
• Development
• Deployment
• Operation
Roles
&
Obligations
• Investigation
• Litigation
15
COMPUTER
SECURITY
16
17
September 2002
Otellini
18
COMPUTERS
• The basis for protection on the Internet.
• General purpose and embedded
IT’S NOT THE ‘NET
IT’S THE NODES !
19
Forrester
March 2003
“Can Microsoft
Be Secure?”
• 74% of users don’t
trust Microsoft
security
• 9 out of 10 users
deploy sensitive
applications on
20 .
Windows, anyway
“..I’m not proud…
We really haven’t done
everything we could to
protect our customers
…. Our products just
aren’t engineered for
security”
Brian Valentine
Senior Vice-President
Microsoft Windows
Development
Computerworld (Australia)
September 16, 2002.
Page 14.
21
VENDOR ESCAPE:
MICROSOFT
(Mundie, 8 Oct. 2002, RSA, Paris)
• Question: 25 years to go “trustworthy” ?
• Reply:
• “Customers wouldn’t pay for it until recently.
• “Information officers ..only recently begun to
demand security.”
• “.. Only in last 10 years that Microsoft has
attempted to play in the security-requiring
worlds of banking, payroll and networked
systems…”
22
WINDOWS NT / 2000 / XP EXPERIENCE
“Although each Win32 process has its own private
memory space, kernel-mode operating system
and device driver code share a single virtual
Every IT professional
address space…Windows
2000 doesn't provide
learn
how to system memory
any protection to can
private
read/write
write a running
driver! in kernel mode.
being used by components
In other words, once in kernel mode, operating
system and deviceEvery
driver user
code can
has complete access
installand
a driver!
to system space memory
can bypass Windows 2000 security
D and Russinovich, M
to access objects." Solomon,
"Inside Microsoft Windows 2000" - Third Edition
Microsoft Press, Redmond, Washington. USA., 2000
23
ATTITUDE
ENVIRONMENT
MARKET
1980s
IBM Advertisement,
BYTE Magazine : Dec. 1985.
IBM PC Ad – 1981. 24
eWeek
April 18, 2003
Securing Windows Server 2003
By Dennis Fisher
SAN FRANCISCO—The upcoming release of Windows Server
2003 is a watershed event, not only for the Windows group, but
also for the security team at Microsoft Corp. Company
executives have made it quite clear over the last few months
that the next version of the flagship operating system will be a
key test for the processes and improvements made as part of
the Trustworthy Computing initiative.
In fact, Dave Aucsmith, chief technology officer of the Security
Business Unit at Microsoft, based in Redmond, Wash., said if
the OS is found to be as vulnerable as previous versions of
Windows, it will mean that the company's model for improving
security "was wrong."
Solution: Look at the base!
25
The riches won't flow until Wi-Fi security reaches industrial
grade. Corporations are hankering for the power and
flexibility of Wi-Fi networks, but many are postponing rollouts
in strategic areas until they're convinced that hackers, spies,
and competitors can't intercept wireless data. General Motors
Corp. has deployed Wi-Fi in 90 manufacturing plants but is
holding off on Wi-Fi at headquarters until next year. Why?
Execs worry that until new encryption is in place, guests at a
Marriott Hotel (MAR ) across the street could log on to GM's
network and make off with vital memos and budgets. Industry
analysts say a slew of airtight Wi-Fi security systems will be
out next year. But delays or news of security breaches could
pummel confidence in the technology.
BW
28 April 2003
THE PROBLEM CONTINUES !
SECURE FROM THE START ?
26
ADD-IN
SECURITY
27
“End systems must be able to enforce the
separation of information based on
confidentiality and integrity requirements
to provide system security.
Operating system security mechanisms are
UNDENIABLE
the foundation for
ensuring such separation.
Unfortunately, existing
mainstream operating systems
EXPERT
lack the critical security feature required
TESTIMONY
for enforcing separation:
mandatory access control.
As a consequence, application
security mechanisms
IN
are vulnerable to tampering and bypass,
and malicious orLITIGATION
flawed applications can !easily
cause failures in system security.”
N N
S A
A I
& L
a
b
s.
18
Dec.
2000
28
TCPA
Trusted Computing Platform Alliance
• 145 PC & related manufacturers/enterprises at
30 Jan 2001
UNDENIABLE
• Main specification - 25 January 2001
EXPERT
• “ … a sensible layperson should trust only those
TESTIMONY
systems that
have been publicly examined
by the (cryptographic
INand security)
community…”
LITIGATION
! THIS need.
• Implied: Current
PCs DO NOT MEET
• For a while - detection vs prevention
29
OKENA - CISCO ( April 2003 )
INSIDE
THE
COMPUTER
OS
30
CRYPTO INTEGRATION
“.. hardware on which applications run must
be secure, as must the operating system and
run time environment in between, while
offering a reasonable API for application
developers…
.. applications cannot be more secure than
the kernel functions they call, and the
operating system cannot be more secure than
the hardware that executes its commands..”
Dyer et al – “Building the IBM 4758 Secure Coprocessor”
IEEE Computer, October 2001.
31
32
What’s in a Name?
• The technology formerly known as
“Palladium” from 24 January 2003 will be
called:
“Next-Generation Secure
Computing Base for Windows”
–NGSCBW ???
Real security architecture or another BIG patch?
33
MS says NGSCBW is…
• Code name for core components of
Windows OS that combine hardware and
software to ensure:
• System integrity
• Personal privacy
• Information protection
• Needs the commitment of the entire
computer industry (software, hardware,
ISPs, etc)
From Presentation “Trustworthy Computing and Palladium” John
Manferdelli – General Manager Windows Trusted Platform
Technologies. Downloaded from
http://www.netproject.com/presentations/ TCPA/john_manferdelli.pdf
34
WEB
SERVICES
35
“Building castles on quicksand”
AUTH
ROLE
PRIV
POLIC
TRUST
AUDIT
WEB SERVICES SECURITY
OPERATING SYSTEM SECURITY
MIDDLEWARE SECURITY
HARDWARE SECURITY
36
TODAY
37
Conclusions (1)
•
The 20 year syndrome in action –
- Intel and Microsoft
– better & easier solutions exist!
– Selective IT industry amnesia
• Nothing was done
before the PC and 1982!
– All useful IT research is on the Web
• Intel, Microsoft & TCPA:
Read the Intel manuals !
Read the literature !
• Government action IS needed! (Forget “light touch”!)
Multics
GEMSOS
DEC VAX
Trusted XENIX
Intel 286
38
Security
IS NOT &
NEVER HAS
been market led or
vendor driven
e.g.
seat belts,
fire extinguishers,
smoke detectors,
pool fences,
etc.
39
Motor Vehicle Standards Act 1989
Act No. 65 of 1989 as amended
Consolidated as in force on 20 April 1999
(incudes amendments up to Act No. 8 of 1999)
Prepared by the Office of Legislative Drafting,
Attorney-General’s Department, Canberra
AN EXCELLENT & PROVEN MODEL !
INDUSTRY TECHNICAL STANDARDS
WITH LEGISLATIVE ENFORCEMENT
40
CONCLUSIONS (2)
• Trusted Systems with
Mandatory Security
as enterprise servers
• Moving beyond perimeter
security which is impractical for
web-services (CIL parsing?)
• Plain English evaluation docs!
• Separate TCP/IP networks
for critical
B2B e-commerce
41
HP-UX 11i ( CAPP/EAL4 )
HP-UX 11i is Hewlett-Packard’s UNIX®-based operating
environment specifically targeted at Internet applications.
HP-UX 11i delivers an end-to-end scalable, manageable, and
secure infrastructure for developing, deploying, and brokering
mission-critical e-services. HP-UX 11.11 has been submitted
for evaluation to the Common Criteria evaluation assurance
level EAL4, against the functional requirements in the
Controlled Access Protection Profile. The target environment is
for systems that may execute on a single HP 9000 Server or
be connected to other HP 9000 Servers identically
configured to form a local distributed system
implementing a unified security policy.
Solution: HP Virtual Vault !!
?
42
HP-UX BLS / Virtual Vault
Virtualvault is built on a
security hardened version
of the HP-UX
operating system
43
IBM
AIX Version 4.3.1
B1/EST-X Vers 2.0.1
44
Trusted Solaris 8 4/01 … multilevel trusted operating environment
Meets and exceeds
• Labeled Security,
• Role-based Access Control, and
• Controlled Access
protection profiles of the Common Criteria.
Features include:
• MAC and DAC - including ACLs;
• Least privilege Trusted networking and trusted NFS;
• Identification and authentication;
• Roles for separating user and administration capabilities;
• Rights profiles;
• Multilevel windowing environment;
• Centralized administration ….;
• Auditing actions of users and roles.
45
Windows’2000 ( CAPP/EAL4 )
As for HP-UX 11i
“ .. to be used in .. a relatively benign environment…..”
“ .. all information on the system .. same level ..”
“.. All users authorized for that level of information ..
not all the data…”
“ users not expected to be trustworthy..”
“ administrators are assumed to be trusted and
competent…
“ ..all elements of the network operate under the
same security rules and constraints and are
subsumed under a single management domain…”
Translation: Forget Internet connection!
46
CONCLUSIONS (3)
• For CIO/CSO
• Learning to say “NO!”
• Growing legal and corporate
responsibility
• Start with the simple
• PINPad experience!
• Learn trusted systems
47
ISRC
Information
Security
Research
Centre
at
QUT
48
THANK
YOU.
20th
ANNIVERSARY
49